Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Spy Sheriff / Destop hijack malware [CLOSED]

mrpotatoes

Posted 18 June 2005 - 11:13 AM

mrpotatoes

New Member

Member

3 posts

Yesterday morning I came in to the computer room and discovered my computer riddled with a series of viruses that seem to have appeared overnight. The first was Trojan-Spy.html.smitfraud.c and I used the smitfraud.reg file for that. I tried using KillBox, as recommended in the guide for removal, but it had trouble with the "paste from clipboard" function. Then I rebooted.When my computer restarted, the Trojan seemed to have disappeared, although I'm not sure it's actually gone. In it's place, I had a nice little desktop hijack. My background was changed to read "SYSTEM STOPPED" in large red letters with smaller text beneath about how my computer had a serious malfunction due to spyware blah blah blah. Then, I ran Ad-aware SE, Spybot, and ewido. Spybot found nothing, but the other two found a bunch. ewido cleaned up a few trojans and even a trojandownloader.Now we are up to today. Right now, the background is a sort of blue and I can't change it to anything else. That's the most apparent problem, but it doesn't seem to serious. Just kind of slows the machine a lot. Norton AntiVirus detected a Bloodhound.W32.EP in C:\WINDOWS\system32\wininet.dll and won't go away. Norton can't delete or repair it, although it's tried many times. I suspect the virus can be removed by deleting the file in Safe Mode, but I haven't done this yet.

Advertisements

Excal

Posted 26 June 2005 - 11:28 PM

Excal

Malware Slayer Extraordinaire!

Retired Staff

12,739 posts

Hi mrpotatoes and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

DOWNLOAD PROGRAMSDownload smitRem.zip and save the file to your desktop.Right click on the file and extract it to it's own folder on the desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:Ad-Aware SE SetupDon't run it yet!

First, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal): http://www.geekstogo...=download&id=18

THE FIXNext, please reboot your computer in SafeMode by doing the following:

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

Instead of Windows loading as normal, a menu should appear

Select the first option, to run Windows in Safe Mode.

Go to Start->Run and type in services.msc and hit OK. Then look for ZESOFT - Unknown owner and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\bridge.dllC:\WINDOWS\System32\voesgt.exeC:\WINDOWS\ehstkpod.exeC:\WINDOWS\dquz.exeC:\WINDOWS\System32\TfiNf.exeC:\WINDOWS\System32\IEHost.exec:\windows\system32\izeyfu.exeC:\WINDOWS\system32\l?gonui.exeEGDACCESS_1059.dll<======Start>search to find this

===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.

Now open Ewido Security Suite

Click on scanner

Make sure the following boxes are checked before scanning:

Binder

Crypter

Archives

Click on Start Scan

Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OKOnce the scan has completed, there will be a button located on the bottom of the screen named Save report

mrpotatoes

Posted 29 June 2005 - 01:55 AM

mrpotatoes

New Member

Topic Starter

Member

3 posts

Thank you so much, Excal! Your help has worked very well and I think most everything is gone. A few things were different from what you suggested in your guide, but nothing particularly serious. Just a few files that didn't exist, that sort of thing. The only other problem was that Ewido crashed on two separate occasions at around 90% during the scan. It was scanning something on my F: drive, my secondary hard drive from an older computer. Because of this, I don't have an ewido log to post here, but from the analysis page, I see that it cleaned up a bunch of things and it doesn't detect Trojans as frequently anymore (it used to find several per day), so it has made progress.

Also, one other problem. I still have a desktop hijack virus (W32.Desktophijack, located in C:\WINDOWS\system32\WININET.dll). Norton has found it but can't delete it or repair it. I've ran the scan twice in safe mode and both times Norton failed to fix or delete it. I can't delete the file manually either. Any suggestions?

And again, thank you so much for all your help. I appreciate you taking the time to write up that entire guide. It's made a huge difference. Thanks.

Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\l?gonui.exe <====HJT is not recongnizing the second letter of that file. Could be an O.C:\Documents and Settings\Moshe Gray\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv139.jar-d7c9bbb-111c1f8d.zip[Dummy.class]C:\Documents and Settings\Moshe Gray\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv139.jar-d7c9bbb-111c1f8d.zip[Matrix.class]C:\Documents and Settings\Moshe Gray\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv514.jar-663ccc2d-5a564c50.zip[Matrix.class]C:\Documents and Settings\Moshe Gray\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv514.jar-663ccc2d-5a564c50.zip[Dummy.class]C:\Documents and Settings\Moshe Gray\Application Data\tvmcwrd.dllC:\Documents and Settings\Moshe Gray\Application Data\tvmknwrd.dllC:\GatorPatch.logC:\install.htmC:\keys.iniC:\Program Files\Common Files\remove_tools.htmlC:\WINDOWS\alchem.iniC:\WINDOWS\Downloaded Program Files\ClockSyncInst.infC:\WINDOWS\Downloaded Program Files\popcaploader.infC:\WINDOWS\inf\alchem.infC:\WINDOWS\sepsd.binC:\WINDOWS\system32\datastore.dllC:\WINDOWS\system32\drivers\etc\hosts.bhoC:\WINDOWS\system32\Shex.exeC:\WINDOWS\system32\sub.dllC:\WINDOWS\System32\ms.exe F:\WINDOWS\INF\payload.infF:\WINDOWS\WEB\tips.iniF:\WINDOWS\TEMP\Belt.iniF:\WINDOWS\Downloaded Program Files\SbCIe026.dllF:\WINDOWS\hh.httF:\install.htmEGDACCESS_1059.dll<====Start search for this one

===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.

Now open Ewido Security Suite

Click on scanner

Make sure the following boxes are checked before scanning:

Binder

Crypter

Archives

Click on Start Scan

Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OKOnce the scan has completed, there will be a button located on the bottom of the screen named Save report